Profile Applicability:
Level 2
Description:
AWS instances can access AWS resources either by embedding AWS access keys in API requests or by assigning IAM roles to the instance. IAM roles should be used instead of hardcoded credentials to enhance security and reduce operational risks.
Rationale:
Reduces Credential Exposure:
IAM roles eliminate the need to store AWS access keys within instances.
If credentials are leaked, they can be used outside AWS, increasing attack risks.
Enables Temporary Security Credentials:
IAM roles use temporary credentials that rotate automatically, reducing security risks.
Prevents Manual Key Rotation Issues:
Hardcoded credentials rarely get rotated, increasing the risk of credential compromise.
Compliance & Best Practices:
Required for SOC 2, ISO 27001, PCI-DSS, CIS Benchmark compliance.
Impact:
Benefits:
- Prevents credential leaks by avoiding hardcoded access keys.
- Enhances security by using short-lived AWS credentials.
- Reduces operational burden of manual key rotation.
- Supports least privilege access control.
Potential Challenges:
- Some legacy applications might need modification to support IAM roles instead of access keys.
- If an instance role is incorrectly configured, applications might lose access to AWS resources.
Default Value:
By default, AWS EC2 instances do not have an IAM role assigned.
IAM instance profiles must be manually created and attached.
Pre-Requisites:
AWS Account Access: IAM permissions to create roles, policies, and attach IAM roles.
Required IAM Permissions:
{
"Action": [
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"ec2:DescribeInstances",
"ec2:AssociateIamInstanceProfile"
],
"Effect": "Allow",
"Resource": "*"
}Instance Profile Requirements:
IAM role must be created before it can be attached to an EC2 instance.
AWS Managed Policy AmazonEC2RoleforSSM can be used for general instance access.
Remediation:
Test Plan: Ensure that IAM roles are used for AWS resource access from EC2 instances.
Using AWS Console:
Login to AWS Console: AWS EC2 Console.
Navigate to EC2 Dashboard → Click Instances.
Select an EC2 instance → Click Actions → Select View details.
Scroll down to Security → Check the IAM Role field:
If IAM Role is empty, no role is attached.
If IAM Role is present, the instance has an IAM role.
Repeat steps 3-4 for all EC2 instances in your AWS account.
Using AWS CLI:
- List all EC2 instances in a region:
aws ec2 describe-instances --region <region-name> --query 'Reservations[*].Instances[*].InstanceId'
- Check IAM roles attached to instances:
aws ec2 describe-instances --region <region-name> --instance-id <Instance-ID> --query 'Reservations[*].Instances[*].IamInstanceProfile'
- If IAM Instance Profile is empty, the instance does not have an IAM role.
Implementation Steps:
Using AWS Console:
Login to AWS Console: AWS EC2 Console.
Navigate to EC2 Dashboard → Click Instances.
Select an EC2 instance → Click Actions → Click Security → Click Modify IAM
If no IAM role exists, Click "Create a new IAM role".
Select an IAM role from the dropdown menu.
Click Update IAM Role.
Repeat for all instances that require an IAM role.
Using AWS CLI:
- List all EC2 instances in a region:
aws ec2 describe-instances --region <region-name> --query 'Reservations[*].Instances[*].InstanceId'
- Attach an IAM role to an EC2 instance:
aws ec2 associate-iam-instance-profile --region <region-name> --instance-id <Instance-ID> --iam-instance-profile Name="Instance-Profile-Name"
- Verify the IAM role assignment:
aws ec2 describe-instances --region <region-name> --instance-id <Instance-ID> --query 'Reservations[*].Instances[*].IamInstanceProfile'
- Repeat for all instances that require an IAM role.
Backout Plan:
If IAM role assignment causes access issues: Detach the IAM role:
aws ec2 disassociate-iam-instance-profile --region <region-name> --association-id <association-id>
Manually assign previous access keys (temporary fix).
Monitor instance logs for permission errors.
Re-attach the IAM role if needed and validate access.